Created on 09-20-2023 07:51 AM Edited on 08-22-2024 09:04 AM By Stephen_G
This article describes the issue of full disk utilization.
Scope
FortiDeceptor.
First, if the decoys are not configured with a reset after the attacks, this might cause such an issue. Because the attack might download or install any malware that keeps increasing the disk utilization.
So while creating the decoys make sure that the rest option is enabled and it is possible to configure the time period to rest the decoy after the attack.
Second, in FortiDeceptor version 4.1 and lower, if the deployment network is configured with a trunk port with a huge traffic volume this issue will cause disk utilization because there is a feature to analyze all the traffic passing through the deployment network, the temporary traffic content can be accumulated to high disk usage when the traffic comes in faster than clearing the temporary content.
There are three solutions:
The first solution is to configure the traffic outside FortiDeceptor to only allow lower volume traffic to FortiDeceptor, such as limiting the VLANs in the trunk port or only connecting FortiDeceptor to the access port;
The second solution is to upgrade to version 4.2 or higher. Starting from 4.2, it is disabling the analysis feature for all traffic but only for the traffic for decoys, which will reduce the temporary content size a lot.
It is recommended to proceed with the second solution which is an upgrade to 4.2 or higher.
The third solution is to run command data-purge -k<N> which will automatically purges data older than the specified number of days where N represents 1-365 days.
For example, to purge data older than 10 days:
data-purge -k10
This option cannot be used with other options.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.